Dharmesh B. Rathod, General Manager - Information Security (CISO), Adani Enterprises
“Risk Management cut across almost all areas within Information Technology by the mere fact that no risks can be eliminated however, they can be minimized through due risk management methodologies and relevant applicable remedial measures”.
Over a period of time, we have seen Information Technology growing and scaling from the support organization to enabler – thanks to various innovations and several immense dependency IT has pioneered itself over industrialization. While this growth has resulted into a vast expansion of IT landscape, managing risks around IT has also attracted its own focus over this journey. Earlier risk was considered and catered during the later stage of any IT initiatives and assignments; most of the time risk management was more of a compulsion to remediate few/minor risk and that too unstructured approach. Not anymore now wherein IT Risk Management finds itself to be a niche area on its own and been looked upon as one of the key decisive making entity across the overall Information Technology arena.
Having expressed the importance of IT Risk Management, this calls about for distinct deliverables backed by profound skill sets to manage this area. Generally, this function’s existence varies from a dedicated team or shared a skill set depending upon the organization’s structure, business focus and priorities.
IT Risk management as a function be it managed by individuals, teams or shared professionals, the focus should clearly be based on few areas such as Scope where Risk Management is applicable, applicability of Risk Management frameworks, Identification, treatment and managing Risk through processes and controls, optimize and/or mitigate risks.
Scope helps in defining the boundaries of the target area which is expected to be subjected to risk management hence its dictates how to go about with respect to setting and aligning the right approach and methodology. Most of the times for effective governance scoping also help in deriving projections related to time, efforts and cost as applicable.
Risk management frameworks can be rightly chosen and customized based on the level of micromanagement one must permit himself/herself to ensure the right level of completeness and the outcome is assured again to the right level of accomplishment.
Identification of risks talks about drilling the scoped area and finding out potential threats that can result into tangible or intangible losses associated to IT assets and information. One must have a clear understanding of the current security posture and risk appetite. This enables the risk management function to apply structured and measurable approach toward the IT risks and derive an outcome that is well falling under the acceptable criticality levels those that agreed earlier with all stakeholders. A due diligent identification methodology helps in better alignment of safeguards and controls falling under the treatment phase. Risk treatment methodologies are closely bound to organization’s risk appetite and based on the criticality and priorities the treatment methodologies can be adopted. Risk treatment also calls about for a farther step into technology areas since the safeguards can be of processes and/or technologies. Risk Management team should apply a due and profound in-depth analysis taking in consideration cost-benefits analysis while choosing appropriate safeguards/controls. Application of risk treatment and managing them runs hand in hand in most of the scenarios.
Risk mitigation phase directs one to lower down the threat level through remedial measures. Tangible and measurable risk mitigation methodology is always envisaged and aspired however not all areas find themselves as candidates of measurements, instead intangible methodologies to be adopted. Lowering the risk levels in terms of its criticality/severity is the thumb rule risk management team should adhere to and not to eliminate risk.
Risk management function should also ensure a well-integrated check mechanism to ensure sustainable effective approach is adopted and in practice that should yield periodic checks over risk levels and their impact. A well-thought review mechanism build considering organizational goals and priorities should serve the purpose well since risk management be it of any magnitude, it has to align with organizational vision and goals during every stage of itself.
IT risk management is no different than any other risk management however to support this pursuit there are variety of risk management methodologies are available. A right choice based on organizational priorities, business domain and risk appetite one should pursue the right risk management program.